Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Why are notable events not created and notable alert_action is not triggered?

kwchang_splunk
Splunk Employee
Splunk Employee
‎02-01-2017 07:41 AM

One of my Splunk Enterprise Security customer's complained that sometimes the notable events are not created even when the corresponding raw data is there.
So I checked the scheduler log and found that there were cases that the "notable" alert_action was not triggered when the result_count was not "0".

Please see the red box in the screen capture below. This correlation search runs every 2 minutes. At 13:00:54, result_count was "1", but "notable" alert_action was not triggered.

alt text

This problem (missing notable events) happens randomly across almost all correlation searches they have, several times in a day.
Unfortunately, I couldn't find any clue from the splunkd log so far. There were no error or warning messages when these problems happened.

My customer is running ES 4.1.1 on Splunk 6.4.3. (search head clustering + multisite indexer clustering environment)

Any suggestion for troubleshooting would be very appreciated.
Thank you in advance.

Preview file
384 KB
0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎02-01-2017 09:49 AM

Check the throttling of notable events for that search. If the search is throttling notable events, and the "randomly" skipped notable events fall into that time window, that would explain why a notable event isn't being created.

0 Karma
Reply

aglinowi
Engager
‎05-21-2018 04:30 PM

Did you find a resolution to this problem? I'm experiencing a very similar issue. Thanks

0 Karma
Reply

kwchang_splunk
Splunk Employee
Splunk Employee
‎02-01-2017 02:53 PM

Hi smoir. Thank you for your answer.
Already checked that. Throttling was not configured.

0 Karma
Reply

kwchang_splunk
Splunk Employee
Splunk Employee
‎02-03-2017 07:32 AM

Hi Smoir. I just found an ongoing support case which has very similar symptom with my case. I think, I need to contact support team. Thank you.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...